VIEWPOINT

DATA PROTECTION AND PRIVACY IN COVID-19 TIMES

DATA PROTECTION AND PRIVACY IN COVID-19 TIMES

PHILIP CHONG AND MAURYA VELPULA

HOW SAFE IS YOUR PERSONAL INFORMATION?

Governments around the world have made (or are making) great effort to build their capabilities, especially to speed up contact tracing. With the rise of new waves of infection, the impetus to perform contact tracing is much stronger as countries continue the fight to keep the Covid-19 spread under control.

In the initial days of the spread, contact tracing was manual. Health authorities interviewed infected/suspected patients to identify the places they visited and their close contacts. This process relies entirely on an individual’s memory, which may not be accurate and practical when public healthcare systems are under strain or running against the clock.

Accurate data can help speed up this process and contact tracing apps/solutions promise to deliver exactly that. However, their efficiency depends on the effectiveness of their technology and uptake of the solutions by the population. Resistance from the public due to concerns on data privacy, security, lack of trust in the government and the popular belief that the government may be trying to establish widespread monitoring of its citizens affect the uptake of such solutions.

WHAT HAS BEEN DONE TO AID CONTACT TRACING IN SINGAPORE?

Singapore entered Phase 2 of its post-circuit breaker reopening on 19 June 2020 where small group gatherings, dining-in at restaurants, retail shopping, exercising in gyms and returning to work are a possibility. It is a “new normal” where all individuals and establishments have to adhere to safe management measures. In addition to physical distancing measures, everyone is required to log in and out of all the commercial places they visit.

The Singapore government introduced SafeEntry – a national digital check-in system, TraceTogether – a community-driven contact tracing app, and TraceTogether Token – a physical device. These solutions are part of its efforts to cover as much ground as possible. Figure 1 provides more details of Singapore’s Covid-19 contact tracing solutions.

Figure 1 Singapore’s Covid-19 contact tracing solutions

WHAT ARE THE SAFEGUARDS PUT IN PLACE?

While the solutions look promising in aiding contact tracing, the key questions are whether they are safe for use and whether the citizens’ concerns on privacy are valid.

According to the Personal Data Protection Commission (PDPC)’s advisory on contact tracing, the personal data of visitors/employees (including NRIC/FIN/Passport numbers) can be collected and used for the purposes of contact tracing and other responses in the event of an emergency that threatens the life, health or safety of other individuals. Organisations must comply with the Personal Data Protection Act (PDPA) and make reasonable security arrangements to protect the personal data from unauthorised access or disclosure, and ensure that the personal data is not used for other purposes without consent or authorisation under the law.

That said, the contact tracing solutions implemented by the Singapore government are exempt from PDPA. However, this does not mean that these solutions need not follow the key principles of data privacy and protection. Public sector agencies have to comply with Government Instruction Manuals and the Public Sector (Governance) Act (PSGA). Collectively, these provide comparable, if not higher, standards of data protection compared to the PDPA, and similar investigations and enforcement actions are taken against data security breaches.

Figure 2 shows the safety measures put in place and how they measure up to the requirements of Singapore’s PDPA, solely based on a review performed on their privacy notices and FAQs.

Figure 2 Safety measures compared against Singapore’s PDPA requirements

The measures stated earlier allow us to safely conclude that these solutions are not intrusive. Nonetheless, there are points that are still unclear:

  • The extent to which there may be disclosure to a range of government agencies outside of the Ministry of Health and overseas

The TraceTogether app and SafeEntry system were developed by the Government Technology Agency (GovTech). Data collected via these solutions are stored in a government server and the government is the custodian of the data. For contact tracing and Covid-19 control measures, various departments might work together and hence, data might be disclosed internally. While this is still within government boundaries and each department is subject to the same stringent measures, protecting the data shared needs to be done by all the departments involved to be effective.

Also, if contact tracing identifies individuals who are no longer in the country, it is not clear if the overseas authorities will be informed. When disclosing information overseas, the data should be protected to avoid unintended leakage during transfer, and efforts should be made (which might be difficult to enforce in the first place) such that the overseas authorities do not use the data for any other purposes, particularly if it is a Singaporean who has gone overseas.

  • If there was a privacy impact assessment (PIA) and or a privacy by design analysis (PbD) conducted

A PIA helps identify and assess the privacy risks inherent in a process, system or initiative. As best practice, a PIA is recommended before system implementation so that adequate measures can be taken to address the privacy risks identified. In the spirit of transparency and accountability, PIAs should be conducted for contact tracing solutions given that the processing is likely to result in a high risk to the rights and freedom of individuals. Both Australia and New Zealand have published their PIAs for COVIDSafe and NZ COVID Tracer apps on their Ministry of Health websites respectively. These PIAs provide more details on information collection, data flows, security, governance and data access and hence, there is more transparency.

PbD is also a best practice; it recommends building privacy aspects proactively into the design, operations and management of a given system or process. Using this framework, privacy requirements are built into the system from the design stage itself instead of being incorporated as an afterthought. A PbD analysis will give additional comfort that the contact tracing solutions have been built taking into consideration the privacy aspects.

  • Timing of when the data will be deleted from the central server if pulled from the mobile app/token for contact tracing is unknown

While it is clear that the contact tracing solutions will be discontinued after contact tracing ceases, it is unclear how long the data, which was already uploaded into the server, will be kept. Even though it may be difficult to determine at this point, a reasonable retention period should be decided on – would it be to delete the data of infected individuals after they fully recover, once contact tracing ceases, wait till Covid-19 is totally eradicated or any other reasonable timeline? At the end of this period, the information should be safely discarded to avoid any future use/misuse and accidental disclosure.

HOW DO THE SINGAPORE CONTACT TRACING SOLUTIONS COMPARE AGAINST THE REST OF THE WORLD?

According to a research by Linklaters, as of April 2020, 28 countries have launched official contact tracing solutions and a further 11 more are developing one.

The types of solutions/apps (Figure 3) that are available in these countries can be classified according to whether:

  • they use GPS location or Bluetooth proximity data;
  • the data is centrally stored or decentralised, and
  • the data is uploaded in real time or as necessary.

Figure 3 Contact tracing solutions around the world

While these solutions are government-funded/developed, their security has also come into question. A major security vulnerability was identified in Qatar’s Ehteraz app, exposing sensitive personal data of over a million people. This is disturbing news especially considering that this app was mandatory. Another example is an app developed by North Dakota, which failed to abide by its own policy. It shared user location with Foursquare, which is a geolocation-advertising service. In a race to combat Covid-19, governments and organisations might launch solutions/apps without enough protection to safeguard them.

The different contact tracing solutions used also show the varying methods governments have undertaken to monitor and trace movements. While invasive mass surveillance methods are the most effective, they bring up burning questions around violating privacy and human rights. This extensive data also needs to be heavily safeguarded (for example, through encryption, anonymisation, etc) to avoid misuse.

On the other hand, non-invasive and voluntary solutions/apps have yet to show their effectiveness due to the low uptake and technical issues. However, they are far better in terms of protecting privacy as they are lawful, proportionate to the needs, limited in scope, time bound and anonymised, thereby posing a lower risk of marginalising and discriminating individuals. Efforts to allay fears and garner support for these solutions/apps are currently insufficient and should be ramped up by governments to increase uptake. One recommendation is to make these solutions mandatory for a fixed period of time, maybe till the end of 2020, and ensure all the security measures are in place to protect the user data from exposure or misuse.

We are in unprecedented times. How far can organisations and governments go in trying to prevent the spread of Covid-19? When it comes to a matter of public health and survival, where should we draw the big red line? Unfortunately, there is no right answer, and it depends on trust – in the government and in the people.

Tips: What can you do to safeguard your data?

  • Most importantly, ensure that your mobile device is secured as it now contains a lot of data.
  • When using phone cameras to scan the QR code, ensure that they are directing to the SafeEntry website (that is, gov.sg domain) and avoid scanning malicious QR codes.
  • Alternatively, use the SingPass Mobile application; this is recommended as it does not require manual data to be entered and hence, has fewer chances of keylogging.
  • If a particular premises is using its own check-in interface (for example, the check-in system at some malls/retailers that incorporates both loyalty membership requirements and the SafeEntry system), ensure that you clearly understand the terms and conditions, and the purposes for which the data might be used, which may extend beyond contact tracing.


Philip Chong is Risk Advisory Executive Director, and Maurya Velpula is Director, Deloitte Southeast Asia.